Lenovo releases tool to purge Superfish 'junkware'

Lenovo has released a promised tool to delete the Superfish Visual Discovery adware from its consumer PCs.

The tool automates the manual process that Lenovo described earlier in the week after the Superfish "crapware" exploded in its face. The same tool also deletes the self-signed certificate that experts said was a huge security threat to anyone with a Superfish-equipped Lenovo system.

Lenovo confirmed that it is working with two of its partners, antivirus vendor McAfee and Windows-maker Microsoft, to automatically scrub or isolate Superfish and remove the certificate, for those customers who do not hear about its cleaning tool.

"We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," Lenovo said in a statement. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."

Ironically, McAfee's Internet Security is another pre-loaded program Lenovo adds to its consumer PCs and 2-in-1s. Those programs, called "bloatware," "junkware" and "crapware," are factory-installed by Lenovo to generate revenue. Lenovo places a 30-day trial of McAfee Internet Security on its consumer PCs, for example, then gets a cut of the money customers spend to upgrade the trial to a paid subscription.

Security experts have called on Lenovo, and the PC industry in general, to halt the practice of pre-loading third-party software on their machines. "Bloatware needs to stop," said Ken Westin, security analyst at security firm Tripwire. Westin and others argued that crapware poses security and privacy threats, something Superfish illustrated all too well.

The issue with Superfish was how it injected ads into secure websites, like Google.

To serve ads on encrypted websites, Superfish installed a self-signed root certificate into the Windows certificate store, as well as into Mozilla's certificate store for the Firefox browser and Thunderbird email client. That Superfish certificate then re-signed all certificates presented by domains using HTTPS. That meant a browser trusted all the fake certificates generated by Superfish, which was effectively conducting a classic "man-in-the-middle" (MITM) attack able to spy on supposedly secure traffic between a browser and a server.

At that point, all hackers needed to do was crack the password for the Superfish certificate to launch their own MITM attacks by, for example, duping Lenovo PC users into connecting to a malicious Wi-Fi hotspot in a public place, like a coffee shop or airport.

Cracking the password proved laughably easy, and within hours it was circulating on the Internet.

Westin called Lenovo's adding Superfish to its PCs "a betrayal of trust" and predicted that the Chinese OEM (original equipment manufacturer) would suffer a hit to both its reputation and sales. "When they pull this kind of stuff, I know I don't want to buy a Lenovo," Westin said.

Since the vulnerability posed by Superfish went public, Lenovo has scrambled to repair the damage caused not only by the crapware, but its initially tone-deaf denial that the software was a security problem.

In the statement, Lenovo continued to claim that it had been in the dark. "We did not know about this potential security vulnerability until yesterday," the company said.

That doesn't let Lenovo off the hook, said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "What's in question here is what, if any, due diligence is performed by the manufacturers before agreeing to pre-install applications," Storms said. "What's the vetting process aside from 'How much is the third party willing to pay us?'"

Lenovo did not detail how McAfee or Microsoft might help disseminate the Superfish clean-up tool or assist in removing the application and certificate. But its use of the word "quarantine" hints that McAfee would issue its own anti-malware signature to at least isolate the program. Antivirus programs use that same quarantine practice with suspected malware.

Microsoft, in turn, could issue an update that revoked the Superfish certificate, essentially removing it from the Windows certificate store. The Redmond, Wash. company has done that in the past when certificates have been obtained illegally.

Google's Chrome, Microsoft's Internet Explorer (IE) and Opera Software's Opera use the Windows certificate store to encrypt traffic to and from Windows PCs. Even so, Google and Opera would likely issue their own revocation updates.

Mozilla is already working on revoking the Superfish certificate from the Firefox and Thunderbird certificate stores, but has not finalized plans, according to Bugzilla, the open-source developer's bug- and fix-tracker.

Lenovo's Superfish cleaning tool and updated manual removal instructions -- which now include Firefox -- can be found on its website.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.